I am using jinja, which didn't seem to use CSRF, but then i installed django registration and i got lost, since, it seems to be using some other views, that i don't have access to so to say, they are not written by me, and i can't figure out where they are. "standard auth views" as they call them. So i am unable to add "RequestContext".

Have you also got the standard Django Templating system installed? That will be required for most apps that are distributed with templates.

For CSRF, a context processor inserts the variable 'csrf_token' into the response context that it retrieves from the middleware if enabled. Now all you have to do, is make sure that it's apart of your form.

This is straight out of django.core, and is subject to change at any time.

However, seeing that, all you really need to know is that you have to have an input type named csrfmiddlewaretoken with the value of context.get('csrf_token','') within your form and that's all she wrote.

I am having the same problem, What's happening if I don't see the input type named csrfmiddlewaretoken when I look at the source of the template?
–
juankysmithJun 17 '11 at 6:30

@juanky, the point is it must be included in your templates. django provides a {% csrf_token %} context processor for this purpose. If you're using a different templating language, you need to ensure that the html in the code above is included in each and every form within your templates.
–
Josh SmeatonJun 18 '11 at 14:58

I have {% csrf_token %} inside every form, my views use RequestContext instead of request and the TEMPLATE_CONTEXT_PROCESSORS are ordered correctly in settings.py... but I still get this stupid 'CSRF token missing or incorrect' message
–
juankysmithJun 20 '11 at 6:32

This answer isn't specific to django-registration, but just using Django with Jinja2 in general.

Django's CsrfViewMiddleware sets the csrf_token cookie if it determines that you have accessed the csrf_token context member. Unfortunately, Jinja2 rendering doesn't occur until after Django's middleware executes. As a result, the cookie doesn't get set, and therefore does not match the form, and you will get the 403 error.

To get around this issue, you need to access context['csrf_token'] at some point before you finish processing the response.

If you're using class-based views, you can create a CsrfProtectMixin:

class CsrfProtectMixin(object):
def render_to_response(self, context, **response_kwargs):
# Csrf processing happens when using a RequestContext.
# Be sure to use one.
if not isinstance(context, RequestContext):
context = RequestContext(self.request, context)
# Force access to csrf_token due to the way jinja2 renders the template
# after middleware has finished processing. Otherwise, the csrf cookie
# will not be set.
str(context.get('csrf_token'))
return super(CsrfProtectMixin, self).render_to_response(context, **response_kwargs)